Miggo Logo
Miggo Vulnerability Database
CVE-2020-2212

CVE-2020-2212: Secret stored in plain text by Jenkins GitHub Coverage Reporter Plugin

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2212
GHSA ID
GHSA-5r5f-hcwf-r9jh
EPSS Score
0.03792%
CWE
CWE-256
Published
5/24/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.jenkins.plugins:github-coverage-reportermaven<= 1.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unencrypted storage of credentials in XML configuration files. Jenkins plugin configuration typically uses Descriptor.configure() methods for global settings. The PluginConfiguration class would handle credential storage, and the absence of encryption in the configure() method (which persists settings) or associated getters/setters directly enables plaintext storage. While exact implementation details aren't visible, this pattern matches Jenkins plugin architecture and the described vulnerability mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*it*u* *ov*r*** R*port*r Plu*in *.** *n* **rli*r stor*s * *it*u* ****ss tok*n in pl*in t*xt in its *lo**l *on*i*ur*tion *il* `io.j*nkins.plu*ins.**r.Plu*in*on*i*ur*tion.xml`. T*is tok*n **n ** vi*w** *y us*rs wit* ****ss to t** J*nkins *ontroll*r *il

Reasoning

T** vuln*r**ility st*ms *rom un*n*rypt** stor*** o* *r***nti*ls in XML *on*i*ur*tion *il*s. J*nkins plu*in *on*i*ur*tion typi**lly us*s `**s*riptor.*on*i*ur*()` m*t*o*s *or *lo**l s*ttin*s. T** `Plu*in*on*i*ur*tion` *l*ss woul* **n*l* *r***nti*l stor